Activity Monitoring for AWS
Identify overprovisioned and inactive users using CloudTrail logs.
Early Access: Activity Monitoring is available on a limited basis for early preview and customer feedback. Contact our support team to enable this feature for your Veza platform.
After enabling Activity Monitoring for an existing AWS integration, Veza gathers CloudTrail logs to audit user activity and generate Over Provisioned Access Scores (OPAS) to show the percent of unutilized access.
The Activity Monitoring dashboard shows the dormant and over-provisioned AWS IAM Users, based on the resources they can access and the current Activity Monitoring time range. You can add constraints on OPAS to Queries and Rules to enforce policies around user activity and actual resource usage.
Notes
Supported Entities: OPAS are shown for relationships between AWS IAM Users and AWS S3 Buckets, and AWS IAM Users and Secret Manager Secrets.
Monitoring for multiple AWS accounts: To enable Activity Monitoring for multi-account organizations, repeat these steps for the AWS integrations associated with each account. In Query Builder results, OPAS will be
N/Afor users from accounts where Activity Monitoring is not enabled.
Enabling Activity Monitoring for AWS
Step 1: Retrieve CloudTrail region and trail name
To gather activity data, Veza connects to a single Trail with event logs for the desired regions and resources. To enable Activity Monitoring, the integrated AWS account must have CloudTrail enabled.
To use an existing Trail, search for CloudTrail on the AWS Console, and save the name and region for configuring the integration in Veza. The trail must include S3, Secret Manager, and IAM events (to discover the actual principals from AssumedRole).
If Veza cannot use an existing Trail, see Creating a Trail for the current instructions from AWS.
Veza recommends choosing a predefined template for S3 buckets to create a Trail logging activity on all newly-created and existing buckets in the desired regions.
You can optionally define an advanced selector to only gather events for specific resources or regions.
Step 2: Update AWS integration permissions
You might need to update the integration AWS policy to enable reading CloudTrail logs. On the AWS IAM Console, open the Policies page and locate the one used by the Veza-AWS Integration. Edit the policy to include the following SID, and save the changes:
This enables Veza to gather configuration metadata for all trails in the organization.
Creating an AWS integration with the current Veza-AWS connector policy includes the CloudTrail statement by default.
Also, Veza must have access to the files logged by Cloudtrail in S3:
s3:ListBucketon the S3 bucket that Cloudtrail logs intos3:GetObjecton the files logged by this trail in the bucketThis can be granted by ACL or bucket policy. Example for the bucket policy section:
kms:Decrypton the KMS key. Required if the trail is configured to encrypt log files with a key. Example for the policy section on the key:You can find the file and key location under “General details” on the trail details page.
Testing S3 Permissions: To validate if Veza has access to a trail in S3, try to download the file with the user/role that Veza assumes to access AWS:
aws s3api get-object --bucket <the S3 bucket for the trail> --key <any log file in the bucket> <path to save the file>
Step 3: Enable Audit Logs for the AWS Integration
On the Veza Integrations page, go to the Integrations page and click Enable Audit Logs next to the name of the AWS integration. In the modal, enter the values from AWS:
The name of the Trail Veza will connect to, e.g.
veza_s3_monitoring.Organization trails: If the trail is not owned by the account that Veza has access to, use its full ARN instead of name.
The AWS region the CloudTrail service resides, e.g.
us-east-2.
Save your changes. The integration will gather CloudTrail logs to calculate Over-Provisioned Access Scores during the next extraction cycle.
Last updated
